Hi all,
I run with Freeradius 2.1, CiscoASA and RSASecurid "OTP"+RSARadius.
I set my CiscoASA to authenticate against freeradius. On this
freeradius server, i created a realm "OTP" which proxy the request to a
RSARadius (the only one who can ask RSAOTP Securid database). So when i
authenticate with [EMAIL PROTECTED]/Passcode with my CiscoVPNclient, the
authentication is successful. No pb. Here's the log:
======(log)
[suffix] Looking up realm "otp" for User-Name = "[EMAIL PROTECTED]"
[suffix] Found realm "otp"
[suffix] Adding Stripped-User-Name = "xxxxxxxxxx"
[suffix] Adding Realm = "otp"
[suffix] Proxying request from user xxxxxxxxxx to realm otp
[suffix] Preparing to proxy authentication request to realm "otp"
++[suffix] returns updated
...
rad_recv: Access-Accept packet from host 192.168.1.1 port 1812, id=4,
length=85
Class = x53425232434cd5a0c3accfca8fd9efc01180270180038198
Proxy-State = 0x313530
======(end of log)
The second thing i want to do is to "import" the user's "policy group"
(radiusClass) and its own IP Address (radiusFramedIPAddress). Those
attributes are located in a LDAP directory server. So i decided to add
the "ldap" module in the authorization section of my freeradius conf
files. In the logs, i clearly see that freeradius is doing a great job
(asking and receiving my ldap attrs)
======(log)
[ldap] performing user authorization for xxxxxxxxxx
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=xxxxxxxxxx)
expand: o=gouv,c=fr -> o=gouv,c=fr
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
...
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=gouv,c=fr, with filter (uid=xxxxxxxxxx)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
rlm_ldap: radiusClass -> Class = 0x646976696e666f
rlm_ldap: radiusFramedIPAddress -> Framed-IP-Address = 1.2.3.4
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user xxxxxxxxxxx authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
======(end of log)
My problem is that that finally i get 2 successful auth (i interpret it
like these sorry...), and Freeradius "chooses" Auth-Type=Accept
(ProxyRSARadius Response which doesn't contain my class and
framedipaddress i need to push to my CiscoASA)
======(log)
Found Auth-Type = LDAP
Found Auth-Type = Accept
Warning: Found 2 auth-types on request for user 'xxxxxxxxxxx'
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 150 to 192.168.1.2 port 1025
Class = 0x53425232434cd5a0c3accfca8fd9efc0118027018
Finished request 0.
======(end of log)
In other words (sorry for being so long), i would love to authenticate
againt my OTP RSASecurid boxes and concatenate Radius attributes found
in a LDAP directory...
Where should i go? post_proxy module?
Any help would be greatly appreciated.
Kind regards,
Paul
--
============================
Paul TAVERNIER
Equipe Reseaux-Securite
Division Informatique
Rectorat de ROUEN
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
